[Logcheck-devel] Bug#775090: logcheck-database: Should filter shh preauth disconnect ok messages

Enrico Zini enrico at enricozini.org
Wed Feb 10 10:58:28 UTC 2016


On Sun, Jan 11, 2015 at 08:40:59AM +0100, Adrian Heine wrote:

> I get tons of messages for sshd like these:
>   Received disconnect from [IP]: 11: ok [preauth]
> `Bye Bye [preauth]` is already filtered out.

I also get them with an empty string instead of ok or "Bye Bye":

… sshd[25563]: Received disconnect from 125.88.177.93: 11:  [preauth]
… sshd[25565]: Received disconnect from 125.88.177.93: 11:  [preauth]
… sshd[25569]: Received disconnect from 125.88.177.93: 11:  [preauth]
… sshd[25594]: Received disconnect from 125.88.177.93: 11:  [preauth]
… sshd[25596]: Received disconnect from 125.88.177.93: 11:  [preauth]
… sshd[25598]: Received disconnect from 125.88.177.93: 11:  [preauth]

So I tweaked your rule this way:

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:.[:xdigit:]]+: 11: (Bye Bye|ok|) \[preauth\]$



Enrico

-- 
GPG key: 4096R/E7AD5568 2009-05-08 Enrico Zini <enrico at enricozini.org>



More information about the Logcheck-devel mailing list